Cisco MDS 9000 Family Fabric Manager User Guide, Release 1.2(2a) - Managing Zones and Zone Sets [Cisco MDS 9000 NX-OS and SAN-OS Software]

Table Of Contents

Managing Zones and Zone Sets

Creating Zones and Zone Sets

Setting Default Zone Policy

Creating Additional Zones and Zonesets

Adding Zones to a Zone Set

Cloning Zones and Zone Sets

Adding Zone Members

Activating or Enforcing Zone Sets

Searching the Zone Database

Displaying Port Membership Information

Deleting Zones, Zone Sets, and Members

Changing the Default Zone Policy

Viewing Zone Statistics

Managing Zones and Zone Sets

The Fabric Manager allows you to configure and monitor zones and zone sets (groups of zones) on the
Cisco MDS 9000 Family switch. Zoning allows you to set up access control between hosts and storage devices. You can use zones to control access between devices or user groups, and to increase network security and prevent data loss or corruption.

Note Zones and zone sets can only be created and configured in the Fabric Manager.

To verify the compatibility of the zone configuration on two connected switches, see "Analyzing the Results of Merging Zones" section on page 2-12. For information about zones and zone sets, and configuring them using the command-line interface (CLI), refer to the Cisco 9000 Family Configuration Guide.

Procedures you perform to manages zones and zonesets include:

•Creating Zones and Zone Sets

•Setting Default Zone Policy

•Adding Zones to a Zone Set

•Cloning Zones and Zone Sets

•Adding Zone Members

•Activating or Enforcing Zone Sets

•Searching the Zone Database

•Displaying Port Membership Information

•Deleting Zones, Zone Sets, and Members

•Changing the Default Zone Policy

•Viewing Zone Statistics

Creating Zones and Zone Sets

Zones are configured within VSANs, but you can configure zones without configuring any VSANs by configuring them within the default VSAN. The Logical tab displays the VSANs configured in the currently discovered fabric. Note that zone information must always be identical for all the switches in the network fabric.

To create zones, zone sets, or aliases, perform the following steps.

Step 1 From the Fabric Manager, choose Zone > Edit Full Database on Switch from the Fabric Manager Edit menu bar, or right-click a VSAN folder in the Logical tab and choose Edit Full Database on Switch from the pop-up menu.

The Select VSAN dialog is displayed.

Step 2 Select a VSAN from the dialog box. Click OK to display information for that VSAN, or click Cancel to close the Select VSAN dialog box.

If you click OK, you see the Edit VSANxxx Local Database dialog box for the VSAN you selected.

Step 3 Right click the Zone, Zoneset, or Alias for that VSAN to add a Zone, Zoneset, or Alias.

If you have added a Zone, you can specify that the zone be a read-only zone by checking the Set Zone as Read Only checkbox.

If you have added a ZoneSet, you can activate it by clicking the Activate button. This configuration is distributed to the other switches in the network fabric.

Note When you confirm the activate operation, the current running configuration is saved to the startup configuration. This permanently saves any changes made to the running configuration (not just zoning changes).

Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.

Setting Default Zone Policy

Each VSAN contains a default zone, which by default, contains all connected devices assigned to the VSAN. Storage or host devices in a default zone do not belong to any other zone and, by default, are denied access to any other devices.

You can change the default zone policy for any VSAN by choosing VSANxxx > Default Zone from the Fabric Manager menu tree and clicking the Policies tab. However, we recommend that you establish connectivity among devices by assigning them to a nondefault zone.

The active zone set is shown in italic type. After you have made changes to the active zone set and before you activate the changes, the zone set is shown in boldface italic type. The tooltip for each zone indicates the activation time or modification time.

Creating Additional Zones and Zonesets

To create additional zones and zone sets, follow these steps:

Step 1 With the Edit Full Database on Switch dialog open, right-click the Zones folder and choose Insert from the pop-up menu.

Step 2 Enter the zone name in the dialog box that appears and click OK to add the zone.

The zone is automatically added to the zone database.

Step 3 To create a zoneset, right-click the ZoneSets folder in the Edit Full Database on Switch dialog box, and choose Insert.

Step 4 Enter the zoneset name in the dialog box that appears and click OK to add the zoneset.

The zoneset is automatically added to the zone database.

Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.

Adding Zones to a Zone Set

To add a zone to a zone set from the Edit Full Database on Switch window, drag and drop the zone to the folder for the zone set. Alternatively, follow these steps:

Step 1 Click the ZoneSets folder and then right-click the folder for the zone set to which you want to add a zone and choose Insert from the pop-up menu.

You see the Zone Server Select Zone dialog box.

Step 2 Select the zone that you want to add to the zone set and click Add.

The zone is added to the zone set in the zone database.

Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.

Cloning Zones and Zone Sets

Another method of adding zones and zone sets is to clone existing zones and zone sets. To clone a zone or zone set from the Edit Full Database on Switch window, follow these steps:

Step 1 Click the Zones or ZoneSets folder, right-click the folder for the zone or zone set that you want to clone, and choose Clone from the pop-up menu.

Step 2 Enter the name of the cloned zone or zone set.

By default, the dialog displays the selected zone as ClonedZone1.

Step 3 Click OK to add the cloned zone to the zone database.

Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.

Adding Zone Members

Once you have created a zone, you can add members to the zone. You can add members using the following port identification types:

•pWWN—The world wide name of the port configured on the end device (in hex format).

•Fabric port WWN—The world wide name of the fabric port on the switch (in hex format).

•FC alias—The alias name in alphabetic characters (for example, Payroll).

•LUN—The logical unit number of a disk in a disk device.

For more information about port identification types, refer to the Cisco 9000 Family Configuration Guide.

To add members to a zone, follow these steps:

Step 1 Click the Zones folder, then right-click the folder for the zone to which you want to add members, and choose Insert from the pop-up menu.

The Add Members to Zone dialog is displayed.

Step 2 Click the checkbox to the left of the NxPort WWN field.

Step 3 Select one of the ports in the VSAN and click Add to add it to the zone.

You see member in the Zone Server database in the lower frame.

Step 4 Repeat these steps to add other members to the zone.

Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.

Activating or Enforcing Zone Sets

Once zones and zone sets have been created and populated with members, you must activate or enforce the zone set. Note that only one zone set can be activated at any time. If zoning is activated, any member that is not assigned to an active zone belongs to the default zone. If zoning is not activated, all members belong to the default zone.

To activate a zone set, follow these steps:

Step 1 Click the zone set in the Edit Full Database on Switch dialog box.

Step 2 Click Activate.

You see the zone set in the Active Zone Set folder.

Note If one zone set is active and you activate another zone set, the currently active zone set is automatically deactivated.

Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.

Searching the Zone Database

To search the zone or active zone set databases, follow these steps:

Step 1 Click the Find button on the Edit Full Database on Switch dialog box toolbar.

You see the Find in Zone Database window.

Step 2 Enter the name of the member to be searched for.

Step 3 Click the From: Selection or Start radio button.

Step 4 Check either the Ignore Case or Exact Match check box.

Step 5 Click Next to launch the search.

Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.

Displaying Port Membership Information

To display port membership information for members assigned to zones, perform the following steps.

Step 1 From the Fabric Manager Logical/Physical pane (Logical tab), click a member within a zone.

Step 2 Click the Storage tab on the Information pane.

You see the Port Membership information displayed in the Information pane.

Note The default zone members are explicitly listed only when the default zone policy is configured as permit. When the default zone policy is configured as deny, the members of this zone are not shown. For more information, see the "Changing the Default Zone Policy" section.

Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.

Deleting Zones, Zone Sets, and Members

To delete zones, zone sets, or members, perform the following steps.

Step 1 From the Fabric Manager, click the zone or zoneset in the Logical tree of the Logical/Physical pane.

Step 2 Select Zone from the Edit menu, and choose Edit Full Database on Switch.

The Edit Full Database on Switch dialog is displayed.

Step 3 Select the Zone, Zone Set, or Member you want to delete.

Step 4 Right-click the object and choose Delete from the pop-up menu.

The selected object is deleted from the zone database.

Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.

Changing the Default Zone Policy

Each member in the fabric can belong to any zone. If a member does not belong to any zone, it is part of the default zone. If no zone has been activated in the fabric, all members belong to the default zone. Even though a member can belong to multiple zones, a member in the default zone cannot be part of any other zone.

Traffic can be permitted and denied to members in the default zone. This information is not distributed to all switches. Permission and denial must be set for each switch in the fabric.

To permit or deny traffic to members in the default zone from the Zone Server, follow these steps:

Step 1 Choose VSANxxx > Default Zone from the Fabric Manager menu tree, and click the Policies tab.

The Zone information is displayed in the Information pane.

Step 2 Click the DefaultZoneBehavior field and choose either permit or deny from the pull-down menu.

Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.

Viewing Zone Statistics

To monitor zone statistics from the Zone Server, choose VSANxxx > Domain Manager from the Fabric Manager menu tree. The Zone information is displayed in the Information pane. Click on the Statistics tab to see the statistics information for the switches in the zone.

Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.

	Cisco MDS 9000 Family Fabric Manager User Guide, Release 1.2(2a)
	Managing Zones and Zone Sets
Cisco MDS 9000 Family Fabric Manager User Guide, Release 1.2(2a) Preface New and Changed Information Getting Started with Cisco Fabric Manager Using Cisco Fabric Manager and Device Manager Managing Zones and Zone Sets Managing VSANs Managing Software and Configuration Files Managing Interfaces Managing Administrator Access Managing Events and Alarms Managing the System and Components Managing Fibre Channel Routing and FSPF Managing IP Storage Services Configuring IP Filters Managing SPAN Managing Advanced Features	Download this chapter Managing Zones and Zone Sets Download the complete book Full Book PDF (PDF - 2 MB) Feedback Table Of Contents Managing Zones and Zone Sets Creating Zones and Zone Sets Setting Default Zone Policy Creating Additional Zones and Zonesets Adding Zones to a Zone Set Cloning Zones and Zone Sets Adding Zone Members Activating or Enforcing Zone Sets Searching the Zone Database Displaying Port Membership Information Deleting Zones, Zone Sets, and Members Changing the Default Zone Policy Viewing Zone Statistics Managing Zones and Zone Sets The Fabric Manager allows you to configure and monitor zones and zone sets (groups of zones) on the Cisco MDS 9000 Family switch. Zoning allows you to set up access control between hosts and storage devices. You can use zones to control access between devices or user groups, and to increase network security and prevent data loss or corruption. Note Zones and zone sets can only be created and configured in the Fabric Manager. To verify the compatibility of the zone configuration on two connected switches, see "Analyzing the Results of Merging Zones" section on page 2-12. For information about zones and zone sets, and configuring them using the command-line interface (CLI), refer to the Cisco 9000 Family Configuration Guide. Procedures you perform to manages zones and zonesets include: •Creating Zones and Zone Sets •Setting Default Zone Policy •Adding Zones to a Zone Set •Cloning Zones and Zone Sets •Adding Zone Members •Activating or Enforcing Zone Sets •Searching the Zone Database •Displaying Port Membership Information •Deleting Zones, Zone Sets, and Members •Changing the Default Zone Policy •Viewing Zone Statistics Creating Zones and Zone Sets Zones are configured within VSANs, but you can configure zones without configuring any VSANs by configuring them within the default VSAN. The Logical tab displays the VSANs configured in the currently discovered fabric. Note that zone information must always be identical for all the switches in the network fabric. To create zones, zone sets, or aliases, perform the following steps. Step 1 From the Fabric Manager, choose Zone > Edit Full Database on Switch from the Fabric Manager Edit menu bar, or right-click a VSAN folder in the Logical tab and choose Edit Full Database on Switch from the pop-up menu. The Select VSAN dialog is displayed. Step 2 Select a VSAN from the dialog box. Click OK to display information for that VSAN, or click Cancel to close the Select VSAN dialog box. If you click OK, you see the Edit VSANxxx Local Database dialog box for the VSAN you selected. Step 3 Right click the Zone, Zoneset, or Alias for that VSAN to add a Zone, Zoneset, or Alias. If you have added a Zone, you can specify that the zone be a read-only zone by checking the Set Zone as Read Only checkbox. If you have added a ZoneSet, you can activate it by clicking the Activate button. This configuration is distributed to the other switches in the network fabric. Note When you confirm the activate operation, the current running configuration is saved to the startup configuration. This permanently saves any changes made to the running configuration (not just zoning changes). Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems. Setting Default Zone Policy Each VSAN contains a default zone, which by default, contains all connected devices assigned to the VSAN. Storage or host devices in a default zone do not belong to any other zone and, by default, are denied access to any other devices. You can change the default zone policy for any VSAN by choosing VSANxxx > Default Zone from the Fabric Manager menu tree and clicking the Policies tab. However, we recommend that you establish connectivity among devices by assigning them to a nondefault zone. The active zone set is shown in italic type. After you have made changes to the active zone set and before you activate the changes, the zone set is shown in boldface italic type. The tooltip for each zone indicates the activation time or modification time. Creating Additional Zones and Zonesets To create additional zones and zone sets, follow these steps: Step 1 With the Edit Full Database on Switch dialog open, right-click the Zones folder and choose Insert from the pop-up menu. Step 2 Enter the zone name in the dialog box that appears and click OK to add the zone. The zone is automatically added to the zone database. Step 3 To create a zoneset, right-click the ZoneSets folder in the Edit Full Database on Switch dialog box, and choose Insert. Step 4 Enter the zoneset name in the dialog box that appears and click OK to add the zoneset. The zoneset is automatically added to the zone database. Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems. Adding Zones to a Zone Set To add a zone to a zone set from the Edit Full Database on Switch window, drag and drop the zone to the folder for the zone set. Alternatively, follow these steps: Step 1 Click the ZoneSets folder and then right-click the folder for the zone set to which you want to add a zone and choose Insert from the pop-up menu. You see the Zone Server Select Zone dialog box. Step 2 Select the zone that you want to add to the zone set and click Add. The zone is added to the zone set in the zone database. Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems. Cloning Zones and Zone Sets Another method of adding zones and zone sets is to clone existing zones and zone sets. To clone a zone or zone set from the Edit Full Database on Switch window, follow these steps: Step 1 Click the Zones or ZoneSets folder, right-click the folder for the zone or zone set that you want to clone, and choose Clone from the pop-up menu. Step 2 Enter the name of the cloned zone or zone set. By default, the dialog displays the selected zone as ClonedZone1. Step 3 Click OK to add the cloned zone to the zone database. Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems. Adding Zone Members Once you have created a zone, you can add members to the zone. You can add members using the following port identification types: •pWWN—The world wide name of the port configured on the end device (in hex format). •Fabric port WWN—The world wide name of the fabric port on the switch (in hex format). •FC alias—The alias name in alphabetic characters (for example, Payroll). •LUN—The logical unit number of a disk in a disk device. For more information about port identification types, refer to the Cisco 9000 Family Configuration Guide. To add members to a zone, follow these steps: Step 1 Click the Zones folder, then right-click the folder for the zone to which you want to add members, and choose Insert from the pop-up menu. The Add Members to Zone dialog is displayed. Step 2 Click the checkbox to the left of the NxPort WWN field. Step 3 Select one of the ports in the VSAN and click Add to add it to the zone. You see member in the Zone Server database in the lower frame. Step 4 Repeat these steps to add other members to the zone. Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems. Activating or Enforcing Zone Sets Once zones and zone sets have been created and populated with members, you must activate or enforce the zone set. Note that only one zone set can be activated at any time. If zoning is activated, any member that is not assigned to an active zone belongs to the default zone. If zoning is not activated, all members belong to the default zone. To activate a zone set, follow these steps: Step 1 Click the zone set in the Edit Full Database on Switch dialog box. Step 2 Click Activate. You see the zone set in the Active Zone Set folder. Note If one zone set is active and you activate another zone set, the currently active zone set is automatically deactivated. Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems. Searching the Zone Database To search the zone or active zone set databases, follow these steps: Step 1 Click the Find button on the Edit Full Database on Switch dialog box toolbar. You see the Find in Zone Database window. Step 2 Enter the name of the member to be searched for. Step 3 Click the From: Selection or Start radio button. Step 4 Check either the Ignore Case or Exact Match check box. Step 5 Click Next to launch the search. Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems. Displaying Port Membership Information To display port membership information for members assigned to zones, perform the following steps. Step 1 From the Fabric Manager Logical/Physical pane (Logical tab), click a member within a zone. Step 2 Click the Storage tab on the Information pane. You see the Port Membership information displayed in the Information pane. Note The default zone members are explicitly listed only when the default zone policy is configured as permit. When the default zone policy is configured as deny, the members of this zone are not shown. For more information, see the "Changing the Default Zone Policy" section. Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems. Deleting Zones, Zone Sets, and Members To delete zones, zone sets, or members, perform the following steps. Step 1 From the Fabric Manager, click the zone or zoneset in the Logical tree of the Logical/Physical pane. Step 2 Select Zone from the Edit menu, and choose Edit Full Database on Switch. The Edit Full Database on Switch dialog is displayed. Step 3 Select the Zone, Zone Set, or Member you want to delete. Step 4 Right-click the object and choose Delete from the pop-up menu. The selected object is deleted from the zone database. Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems. Changing the Default Zone Policy Each member in the fabric can belong to any zone. If a member does not belong to any zone, it is part of the default zone. If no zone has been activated in the fabric, all members belong to the default zone. Even though a member can belong to multiple zones, a member in the default zone cannot be part of any other zone. Traffic can be permitted and denied to members in the default zone. This information is not distributed to all switches. Permission and denial must be set for each switch in the fabric. To permit or deny traffic to members in the default zone from the Zone Server, follow these steps: Step 1 Choose VSANxxx > Default Zone from the Fabric Manager menu tree, and click the Policies tab. The Zone information is displayed in the Information pane. Step 2 Click the DefaultZoneBehavior field and choose either permit or deny from the pull-down menu. Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems. Viewing Zone Statistics To monitor zone statistics from the Zone Server, choose VSANxxx > Domain Manager from the Fabric Manager menu tree. The Zone information is displayed in the Information pane. Click on the Statistics tab to see the statistics information for the switches in the zone. Note You can access the field descriptions for the windows or dialog boxes in this procedure in the Reference section of the Fabric Manager or Device Manager help systems.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks